Resources

Store

OCR: BAs can't hold PHI hostage to resolve payment disputes

Physician Practice Insider, October 18, 2016

A business associate (BA) who cuts off a covered entity’s (CE) access to its own protected health information (PHI) may violate HIPAA, the Office for Civil Rights (OCR) said in a September 28 FAQ.

The potential for a HIPAA violation hinges on the impermissible use of PHI, OCR said. If a BA maintains PHI on behalf of a CE and blocks or terminates access to resolve a payment dispute or delay, OCR defines the act as an impermissible use of PHI on the part of the BA.

BAs, as well as CEs, are charged with keeping PHI secure and available. Maintaining availability means that the BA is required to make the PHI accessible to the CE even when the BA wishes to terminate its contract with the CE. The BA must return the CE’s PHI in a usable, accessible format when it terminates a contract and may not keep or withhold PHI. The BA may only destroy PHI under certain circumstances, which must be outlined in the BA agreement (BAA).

However, OCR added a caveat: It’s a CE’s responsibility to ensure the availability of its own PHI. If a CE accepts terms in a BAA that prevent the CE from ensuring access to its PHI, the CE may be in violation of HIPAA.

*MAGNET™, MAGNET RECOGNITION PROGRAM®, and ANCC MAGNET RECOGNITION® are trademarks of the American Nurses Credentialing Center (ANCC). The products and services of HCPro are neither sponsored nor endorsed by the ANCC. The acronym "MRP" is not a trademark of HCPro or its parent company.